TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Webmaster:
Blaise Carrera
SNORT_INLINE - The Easy Tutorial - Bridge

Snort_Inline Bridge
Last Change : Apr 26 2007 french flagenglish flag


Tool
Install
Ergonomy
Forum



Details What is Snort_Inline?
Screenshots
Prerequisites
Installation
Oinkmaster - Snort Rules
Oinkmaster - Bleeding Rules
Run Snort_Inline
BASE
Bridging



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!


After all our efforts to configure Snort_Inline, we must be careful to put our brand new IPS at the right place in the network.

A Snort IDS just needs to be connected to a switch port where it receives the traffic coming from a mirrored port. See how to configure port mirroring.

For our IPS, the network configuration above cannot be used because Snort_Inline must check the packets before deciding to drop or accept them. It must be placed along the network link we want to analyze and configured as a bridge.
So you must have a minimum of two networks interfaces, three of them is better because you can dedicate a port to the IPS management.

bridge debian ubuntu IPS snort_inline

Load the bridge kernel module.

#modprobe bridge
Install the tool to manage bridges:

#apt-get install bridge-utils
Configure the networking (/etc/network/interfaces file).
If you have a network interface dedicated to the bridge management, choose case 1, otherwise (ie: you have only 2 network interfaces) choose case 2.

CASE 1 CASE 2
 # /etc/network/interfaces file
 #
 # Loopback interface
 auto lo
      iface lo inet loopback

 #
 # Configure the bridge
 auto br0
 iface br0 inet manual

    # Ports you want to add to your bridge
    bridge_ports eth0 eth1
    # Time to wait before loading the bridge
    bridge_maxwait 0
 #
 # Configure the bridge management
 # interface.
 auto eth2
 iface eth2 inet static
      address 192.168.1.22
      netmask 255.255.255.0
      broadcast 192.168.1.255
      gateway 192.168.1.1
 # /etc/network/interfaces file
 #
 # Loopback interface
 auto lo
      iface lo inet loopback

 #
 # Configure the bridge
 auto br0
 iface br0 inet static
      address 192.168.1.22
      netmask 255.255.255.0
      broadcast 192.168.1.255
      gateway 192.168.1.1

    # Ports you want to add to your bridge
    bridge_ports eth0 eth1
    # Time to wait before loading the bridge
    bridge_maxwait 0
 
 
 
 
 
Restart the networking service.

#/etc/init.d/networking restart
* Reconfiguring network interfaces...



You can watch the logs with the following command:

#tail -f /var/log/syslog
Below is given the log output during the networking service restart.

ubuntu kernel: br0: port 2(eth1) entering disabled state
ubuntu kernel: br0: port 1(eth0) entering disabled state
ubuntu dhclient: receive_packet failed on eth0: Network is down
ubuntu kernel: device eth0 left promiscuous mode
ubuntu kernel: audit(1175176752.661:116): dev=eth0 prom=0 old_prom=256 auid=4294967295
ubuntu kernel: br0: port 1(eth0) entering disabled state
ubuntu kernel: eth1: Setting promiscuous mode.
ubuntu dhclient: receive_packet failed on eth1: Network is down
ubuntu dhclient: receive_packet failed on eth1: Network is down
ubuntu kernel: device eth1 left promiscuous mode
ubuntu kernel: audit(1175176752.669:117): dev=eth1 prom=0 old_prom=256 auid=4294967295
ubuntu kernel: br0: port 2(eth1) entering disabled state
ubuntu kernel: device eth0 entered promiscuous mode
ubuntu kernel: audit(1175176752.741:118): dev=eth0 prom=256 old_prom=0 auid=4294967295
ubuntu kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready
ubuntu kernel: e100: eth0: e100_watchdog: link up, 100Mbps, half-duplex
ubuntu kernel: device eth1 entered promiscuous mode
ubuntu kernel: audit(1175176752.769:119): dev=eth1 prom=256 old_prom=0 auid=4294967295
ubuntu kernel: ACPI: PCI Interrupt 0000:01:0e.0[A] -> GSI 22 (level, low) -> IRQ 185
ubuntu kernel: eth1: setting full-duplex.
ubuntu kernel: eth1: Setting promiscuous mode.
ubuntu last message repeated 6 times
ubuntu kernel: br0: port 2(eth1) entering learning state
ubuntu kernel: br0: port 1(eth0) entering learning state
ubuntu kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
ubuntu kernel: br0: no IPv6 routers present
ubuntu kernel: eth1: no IPv6 routers present
ubuntu kernel: eth0: no IPv6 routers present
ubuntu kernel: br0: topology change detected, propagating
ubuntu kernel: br0: port 2(eth1) entering forwarding state
ubuntu kernel: br0: topology change detected, propagating


The network interfaces statistics (case 2, see above)
The bridge MAC address is the smallest MAC address of its members.

#ifconfig
br0     Link encap:Ethernet HWaddr 00:00:11:22:33:44
         inet addr:192.168.1.22 Bcast:192.168.1.255 Mask:255.255.255.0
         inet6 addr: fe80::202:55ff:fe13:9d05/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
         RX packets:1061 errors:0 dropped:0 overruns:0 frame:0
         TX packets:878 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:723663 (706.7 KiB) TX bytes:115514 (112.8 KiB)

eth0    Link encap:Ethernet HWaddr 00:00:11:22:33:44
         inet6 addr: fe80::202:55ff:fe13:9d05/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
         RX packets:16738 errors:0 dropped:0 overruns:0 frame:0
         TX packets:6824 errors:0 dropped:0 overruns:0 carrier:0
         collisions:10 txqueuelen:1000
         RX bytes:5782167 (5.5 MiB) TX bytes:704700 (688.1 KiB)

eth1    Link encap:Ethernet HWaddr 00:99:aa:bb:cc:dd
         UP BROADCAST MULTICAST MTU:1500 Metric:1
         RX packets:36605 errors:0 dropped:0 overruns:0 frame:0
         TX packets:1842 errors:0 dropped:0 overruns:0 carrier:14
         collisions:0 txqueuelen:1000
         RX bytes:9446601 (9.0 MiB) TX bytes:160001 (156.2 KiB)
         Interrupt:185 Base address:0x4f80

lo      Link encap:Local Loopback
        inet addr:127.0.0.1 Mask:255.0.0.0
        inet6 addr: ::1/128 Scope:Host
        UP LOOPBACK RUNNING MTU:16436 Metric:1
        RX packets:8393 errors:0 dropped:0 overruns:0 frame:0
        TX packets:8393 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:0
        RX bytes:1077749 (1.0 MiB) TX bytes:1077749 (1.0 MiB)


Use the brctl command to see the bridge members.

#brctl show
bridge name   bridge id                     STP enabled       interfaces
br0               8000.000255139d05       no                   eth1
                                                                         eth0


Add a cron job to load the bridge kernel module each time your Linux boots.

#crontab -e -u root
@reboot root lsmod | grep bridge >/dev/null || /sbin/modprobe bridge;



Give us your feedback about this tutorial !!!